2012/1/1 Raphael Kubo da Costa <rakuco@xxxxxxxxxxx>:
> Hi there,
>
> I package eigen on FreeBSD, and it has been reported that the current
> SHA256 sum of the 2.0.16 tarball provided by our port does not match the
> one from the actual download from BitBucket. Since we check the
> checksums before publishing an update, this means the tarball has
> changed since it was first published.
>
> Comparing FreeBSD's own copy of the 2.0.16 tarball [1]
How was it generated?
> with the one
> currently being provided by BitBucket [2], it looks like only the
> tarball name (and the directory inside it) have changed from
> eigen-eigen-2.0.16 to eigen-eigen-<hash of the commit which the tag
> points to>. diff shows no difference in the actual contents.
of course that's the case: tagging a changesets only modifies the
special hgtags file.
how is that a problem?
>
> As a packager, I would appreciate if Eigen started providing
> "real" download tarballs in the Downloads section in BitBucket (like
> other projects do) to prevent this kind of issue -- I guess tarballs
> which are not created automatically do not risk being changed by
> BitBucket.
That would incur more manual work when doing releases and would
increase our reliance on bitbucket, so we would need a good reason to
do that.
Benoit
>
> [1]
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles/eigen/2.0.16.tar.bz2
> and other mirrors
> [2] https://bitbucket.org/eigen/eigen/get/2.0.16.tar.bz2
>
>
>